OK after some packet dumps with tshark, I use the options:
/usr/sbin/tshark -ni eth0 -c 20 -R udp.port==5000 -d udp.port==5000,cflow -V
-r cap1
Where port 5000 is where I receive the netflow and 'cap1' is a file that I
captured it to:
Cisco NetFlow/IPFIX
Version: 9
Count: 15
SysUptime: 1547322177
Timestamp: May 4, 2009 19:38:02.000000000
CurrentSecs: 1241465882
FlowSequence: 549283765
SourceId: 1
FlowSet 1
Data FlowSet (Template Id): 256
FlowSet Length: 1384
Data (1380 bytes), no template found
There is says "no template found." Is this (part of the) problem?
- matt
--- On Fri, 5/1/09, Paolo Lucente <[email protected]> wrote:
> From: Paolo Lucente <[email protected]>
> Subject: Re: [pmacct-discussion] Q. about aggregate_filter and nfacctd
> To: [email protected]
> Date: Friday, May 1, 2009, 4:05 AM
> Hi Matt,
>
> Good, you already tried out what would have been my first
> suggestion. Something else i would recommend traffic load
> permitting: disable buffering (plugin_buffer_size)
> whenever
> testing a new configuration: to be sure nothing remains
> trapped within the buffers giving the feeling something
> doesn't work properly.
>
> Which version of nfacctd are you using? Which version of
> NetFlow are you using? Would it be possible to send over
> privately some NetFlow datagrams (full-size) in libpcap
> format which are containing traffic not being reported?
> If this is NetFlow v9 be sure to include the template in
> the capture file.
>
> Cheers,
> Paolo
>
>
> On Thu, Apr 30, 2009 at 03:36:59PM -0700, Matt Lawson
> wrote:
> >
> > Hi,
> >
> > I am using nfacctd more or less successfully, however
> I wanted to try narrowing down my results by using the
> aggregate_filter. I created the name 'total' because
> aggregate_filter can't be applied globally.
> >
> > So I tried the following config:
> >
> >
> > ! debug: true
> > daemonize: false
> > nfacctd_disable_checks: true
> > plugins: print[total]
> > aggregate[total]: dst_host, dst_port, src_host,
> src_port, proto
> > aggregate_filter[total]: dst port 80
> > print_cache_entries: 1000001
> > print_refresh_time: 10
> > plugin_pipe_size: 10240000
> > plugin_buffer_size: 10240
> > ! interface: eth0
> > nfacctd_ip: w.x.y.z (sanitized)
> > nfacctd_port: 5000
> > pidfile: /var/run/nfacctd
> > logfile: /var/log/nfacctd.log
> >
> >
> > Unfortunately, it captures very, very little
> data. Only a few records compared to what it
> should. If I just take out the "aggregate_filter" line
> it works fine.
> >
> > I have tried with and without the "interface eth0" and
> with and without debug, no help there.
> >
> > I saw an earlier post describing a similar problem
> with sFlow to add "vlan and ..." or "mpls and ..." to the
> filter but that didn't help.
> >
> > Any ideas? TIA.
> >
> > Thanks.
> >
> >
> >
> >
> > _______________________________________________
> > pmacct-discussion mailing list
> > http://www.pmacct.net/#mailinglists
>
> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
>
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
